Look before you click - or Phish Spotting

As a public service, I thought I'd provide a little forensic analysis of an incident I experienced yesterday.  The punchline is:  when in doubt about the legitimacy of a web site, try a whois search.

Annapurna was very excited yesterday evening at receiving an email that purported to be from the school of her choice, encouraging her to request admission info from them.

Now, let me say from the start, that I think that said school would be very wise to encourage her to apply,  and I think it not unlikely that it will in time be brought to its senses and will ultimately send her a supplication to grace it with an application and a $50 application fee.

But that may not be what she got yesterday.

No.  This was a college admissions phishing email.  It said,

Based on your achievements thus far, I invite you now to request our viewbook [with a link to...well...you'll hear more about that later],  Within its pages you will discover the countless ways our dynamic campus in [city of School of Choice] can educate, invigorate and inspire you.

Sincerely,

[Real name of Dean]  

Dean of Undergraduate Admissions and Financial Aid 

P.S. We also offer one of the most generous need-based financial aid programs in the country. We received your contact information from the Student Search Service of the College Board. 

Flattering, no?  Who could resist clicking on that magic link?  And if you did, you'd see a page that looked like something the School-of-Choice might put together, complete with school colors, logos, links to legitimate pages at School-of-Choice, etc.

Here's how I got in this story.

I had heard Annapurna going on for a while about the invitation, but I didn't pay much attention.  She's gotten enough legitimate solicitations for applications that in my books this one was no biggie.  It was when she started pestering me about "Should I put your email or Dad's?" that I started to tune in.  I was like, "What?  What do they want MY email for???"  My spam detector was buzzing.

• Dawn's Helpful Hint (DHH) #1:  when a site that already has YOUR email and has already taken the liberty of establishing a relationship with you, they probably don't have any legitimate reason to be asking for anyone else's email address or contact info UNLESS you are in some very, very official process (like an actual college application or providing death benefits information).  Whenever you get a request for someone else's info, your scam detector should go off.  Before you supply the information ALWAYS think very carefully...does this site REALLY need this?  Really?  Why??? And would that person get upset if I gave out their information?

Further investigation showed that the link went to something that looked like it might be related to School-of-Choice, but wasn't quite right.  Let's pretend that the URL for School-of-Choice is http://www.soc.edu.  This thing went to http://www.soc-admin.org.

• DHH #2:  universities almost always use a .edu If you see something purporting to be from a university but doesn't end in .edu...be suspicious. 
• DHH #3:  when in doubt about whether a web page is associated with a large organization like a university or a bank, try to get there from the home page of the organization.  In this case, we went to http://www.soc.edu, and of course the normal admissions pages we got to from there had nothing to do with http://www.soc-admin.org.

And here's the piece de resistance:

• DHH #4: You can always get some pretty interesting information about who really owns the site by performing a WHOIS search.  Network Solutions provides a reasonable one. For example, if you do a whois search on mtsd.us, you will find

• Registrant Name:                             Thomas DeSisto
  Registrant Organization:                     Montgomery Township Board of Education
  Registrant Address1:                         1014 RT. 601
  Registrant City:                             Skillman
  Registrant State/Province:                   NJ
  Registrant Postal Code:                      08558
  Registrant Country:                          United States
  Registrant Country Code:                     US
  Registrant Phone Number:                     +1.6094667182

Looks pretty legit for Montgomery, no?  But when we did that whois search on that soc-admin.org, we found it was registered by one Royall and Company in Virginia. Nowhere near School-of-Choice.  Not surprisingly, when we combed through Annapurna's email for the assorted solicitations she has received over the past few months, many, many of them contained links to websites registered by that very same Royall and Company.  

So why does Royall and Company want to pretend to be assorted gourmet universities?  I don't know.  I'm not Royall and Company.  Their web site indicates that they do direct marketing for student recruitment.  So maybe I'm being too cynical and these universities really have hired Royall to reach out to students who fit some profile or other.  Or maybe they want to sell mom and dad's email address to banks looking to make student loans.  Or both.  I can't tell.